CVE-2024-53052
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
io_uring/rw: fix missing NOWAIT check for O_DIRECT start write
When io_uring starts a write, it'll call kiocb_start_write() to bump the super block rwsem, preventing any freezes from happening while that write is in-flight. The freeze side will grab that rwsem for writing, excluding any new writers from happening and waiting for existing writes to finish. But io_uring unconditionally uses kiocb_start_write(), which will block if someone is currently attempting to freeze the mount point. This causes a deadlock where freeze is waiting for previous writes to complete, but the previous writes cannot complete, as the task that is supposed to complete them is blocked waiting on starting a new write. This results in the following stuck trace showing that dependency with the write blocked starting a new write:
task:fio state:D stack:0 pid:886 tgid:886 ppid:876 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_rwsem_wait+0x1e8/0x3f8 __percpu_down_read+0xe8/0x500 io_write+0xbb8/0xff8 io_issue_sqe+0x10c/0x1020 io_submit_sqes+0x614/0x2110 __arm64_sys_io_uring_enter+0x524/0x1038 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170 INFO: task fsfreeze:7364 blocked for more than 15 seconds. Not tainted 6.12.0-rc5-00063-g76aaf945701c #7963
with the attempting freezer stuck trying to grab the rwsem:
task:fsfreeze state:D stack:0 pid:7364 tgid:7364 ppid:995 Call trace: __switch_to+0x1d8/0x348 __schedule+0x8e8/0x2248 schedule+0x110/0x3f0 percpu_down_write+0x2b0/0x680 freeze_super+0x248/0x8a8 do_vfs_ioctl+0x149c/0x1b18 __arm64_sys_ioctl+0xd0/0x1a0 invoke_syscall+0x74/0x268 el0_svc_common.constprop.0+0x160/0x238 do_el0_svc+0x44/0x60 el0_svc+0x44/0xb0 el0t_64_sync_handler+0x118/0x128 el0t_64_sync+0x168/0x170
Fix this by having the io_uring side honor IOCB_NOWAIT, and only attempt a blocking grab of the super block rwsem if it isn't set. For normal issue where IOCB_NOWAIT would always be set, this returns -EAGAIN which will have io_uring core issue a blocking attempt of the write. That will in turn also get completions run, ensuring forward progress.
Since freezing requires CAP_SYS_ADMIN in the first place, this isn't something that can be triggered by a regular user.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 485d9232112b17f389b29497ff41b97b3189546b | affected |
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 4e24041ba86d50aaa4c792ae2c88ed01b3d96243 | affected |
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 9e8debb8e51354b201db494689198078ec2c1e75 | affected |
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 003d2996964c03dfd34860500428f4cdf1f5879e | affected |
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 26b8c48f369b7591f5679e0b90612f4862a32929 | affected |
| Linux | Linux | 2b188cc1bb857a9d4701ae59aa7768b5124e262e < 1d60d74e852647255bd8e76f5a22dc42531e4389 | affected |
| Linux | Linux | 5.1 | affected |
| Linux | Linux | 0 < 5.1 | unaffected |
| Linux | Linux | 5.10.230 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.172 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.116 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.60 <= 6.6.* | unaffected |
| Linux | Linux | 6.11.7 <= 6.11.* | unaffected |
| Linux | Linux | 6.12 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
References
- https://git.kernel.org/stable/c/485d9232112b17f389b29497ff41b97b3189546b
- https://git.kernel.org/stable/c/4e24041ba86d50aaa4c792ae2c88ed01b3d96243
- https://git.kernel.org/stable/c/9e8debb8e51354b201db494689198078ec2c1e75
- https://git.kernel.org/stable/c/003d2996964c03dfd34860500428f4cdf1f5879e
- https://git.kernel.org/stable/c/26b8c48f369b7591f5679e0b90612f4862a32929
- https://git.kernel.org/stable/c/1d60d74e852647255bd8e76f5a22dc42531e4389
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.